#latamhackers Series: Week 4 - Geographic Targeting


This post is a part of our #latamhackers series, a 5-week series about some of the top techniques used by hackers in Central and South America.


#latAmHackers Series

During our 5-part series, Phishing for Answers will detail the most utilized hacking techniques in Latin America. Each post will include a summary of the technique, a recent example, and recommended mitigation measures.

Last week, we discussed how regional hackers rely on user execution to spread malware across targeted networks (read more here: #latamhackers: Week 3 - Reliance on User Execution). This week is all about how these groups incorporate tools targeting victims by location.

Here is the full list of techniques:

  1. Spearphishing

  2. Commodity tools

  3. Reliance on user execution

  4. Geographical targeting

  5. Overseas tool expansion


#4: Geographic Targeting

Summary:

Cybercriminals in the region tend to keep their operations close to home. Latin American advanced persistent threats (APTs) appear to be much more localized and specific in their targeting. While some groups have expanded operations to other parts of the world, they do not execute global campaigns to the degree other adversaries do. In fact, some APTs employ interesting techniques to target victims geographically and ensure that only particular users, systems or countries will be exploited.

Example:

BLIND EAGLE (also known as APT-C-36), an APT that favors commodity malware, often uses strategies to detect and exploit victims in Colombia. Between 2019 and 2021, this group launched a series of campaigns against the Colombian government and private sector organizations. A noteworthy feature of these campaigns was how BLIND EAGLE used URL shorteners to target users by location. The hackers would run tests to see if users were operating from a Colombian IP or virtual private network (VPN), and if so, victims were redirected to a malicious site. If a user’s location was elsewhere, they were directed to a legitimate website.

Threat actors verify IP/VPN is not based in Colombia, and user is directed to the legitimate Google Photos site (Source: TrendMicro)

Threat actors verify IP/VPN is not based in Colombia, and user is directed to the legitimate National Directorate of Taxes and Customs (DIAN) site (Source: TrendMicro)

Mitigation Measures:

If threat actors in the region are targeting victims geographically, then it is imperative for users to disable all location sharing features on apps and devices. Additionally, organizations might consider creating tailored awareness trainings for users based in Central and South America.


Coming Up Next Week – What Will Technique #5 Be?

Next week, the #LatAmHackers series continues with a discussion of the final technique – expansion of their tools outside of the region. This post is all about the strategies used by Latin American cybercriminals to sell their toolsets to criminal groups around the world.


Approved for Public Release; Distribution Unlimited. Public Release Case Number 22-02304-4. ©2022 The MITRE Corporation. ALL RIGHTS RESERVED.


Previous
Previous

#latamhackers: Week 5 - Expansion of Malware Overseas

Next
Next

#latamhackers Series: Week 3 - Reliance on User Execution